Hi,
Setup is as follows:
- 2 SSIDs, both open, both using hotspot
- SSID1, local auth, generic user (admin/admin) for customers or whatever - hostpot profile - pool A, subnet A(192.168.168.0/25)
- SSID2, radius auth - hostpot-secure profile - pool B, subnet B(192.168.168.128/25)
So 2 SSIDs, 2 servers, 2 interfaces, 2 pools,2 hs user profiles, etc.
SSID2(secure) is slave for wifi interface running SSID1.
Because the hotspot user is assigned to server, when using radius the user profile will always use default, no matter what you do.
Let me show you:
sep/14 15:12:32 wireless,info some_mac@Secured: connected
sep/14 15:12:32 dhcp,info secured deassigned 192.168.168.150 from some_mac
sep/14 15:12:32 dhcp,info secured assigned 192.168.168.150 to some_mac
sep/14 15:12:33 hotspot,debug Server-Secure: new host detected some_mac/192.168.168.150 by UDP :40656 → some_ip:53
sep/14 15:12:33 hotspot,debug Server-Secure: dhcp host some_mac/192.168.168.150 added, ip 192.168.168.150
sep/14 15:12:49 hotspot,info,debug some_radius_user (192.168.168.150): trying to log in by http-chap
sep/14 15:12:49 hotspot,debug some_radius_user (192.168.168.150): local user not found
sep/14 15:12:49 hotspot,debug some_radius_user (192.168.168.150): sending RADIUS authentication request
sep/14 15:12:49 hotspot,debug some_radius_user (192.168.168.150): Access-Accept from RADIUS
sep/14 15:12:49 hotspot,debug some_radius_user (192.168.168.150): using profile
sep/14 15:12:49 hotspot,debug some_radius_user (192.168.168.150): getting ip address from pool
sep/14 15:12:49 hotspot,debug some_radius_user (192.168.168.150): using ip 192.168.168.50
sep/14 15:12:49 hotspot,debug some_radius_user (192.168.168.50): adding ip->user binding
sep/14 15:12:49 hotspot,account,info,debug some_radius_user (192.168.168.50): logged in
This means that instead of getting ip from the right pool set on the profile, you get ip form default profile aka wrong pool.
And no connectivity because of the different subnet, etc.
Above you shoud get ip from hostpot-secure not hotspot profile.
Like this:
sep/14 15:28:47 hotspot,debug Server-Secure: dhcp host some_mac/192.168.168.150 added, ip 192.168.168.150
sep/14 15:28:59 hotspot,info,debug some_radius_user (192.168.168.150): trying to log in by http-chap
sep/14 15:28:59 hotspot,debug some_radius_user (192.168.168.150): local user not found
sep/14 15:28:59 hotspot,debug some_radius_user (192.168.168.150): sending RADIUS authentication request
sep/14 15:29:00 hotspot,debug some_radius_user (192.168.168.150): Access-Accept from RADIUS
sep/14 15:29:00 hotspot,debug some_radius_user (192.168.168.150): using profile
sep/14 15:29:00 hotspot,debug some_radius_user (192.168.168.150): getting ip address from pool
sep/14 15:29:00 hotspot,debug some_radius_user (192.168.168.150): using ip 192.168.168.200
sep/14 15:29:00 hotspot,debug some_radius_user (192.168.168.200): adding ip->user binding
sep/14 15:29:00 hotspot,account,info,debug some_radius_user (192.168.168.200): logged in
I tricked it by renaming the default profile as secure and use the other hotspot profile for casual users, because in case of local users you set profile per user.
But what do you do if you need 2 or more hotspots with radius authentication?
You always get ip form the profile designated as default, which is a big issue.
I’m not sure if this belongs in general or wireless since it’s not a wifi problem, it’s a hotspot problem.
@Mikrotik - please make a way for radius auth to select a profile